X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=bacula%2Fsrc%2Fstored%2Fauthenticate.c;h=f765eafd3a3a37a896234d6ff3e2330e8fc912f4;hb=8e1af760af1f56f1799dd6df02b3875ebc87407f;hp=49f6551fc54a719ea13dc57fcca3043620736c58;hpb=d7e8d0c2d93c233a7b08506d27c3e8d64f22da98;p=bacula%2Fbacula diff --git a/bacula/src/stored/authenticate.c b/bacula/src/stored/authenticate.c index 49f6551fc5..f765eafd3a 100644 --- a/bacula/src/stored/authenticate.c +++ b/bacula/src/stored/authenticate.c @@ -20,7 +20,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - Bacula® is a registered trademark of John Walker. + Bacula® is a registered trademark of Kern Sibbald. The licensor of Bacula is the Free Software Foundation Europe (FSFE), Fiduciary Program, Sumatrastrasse 25, 8006 Zürich, Switzerland, email:ftf@fsfeurope.org. @@ -60,13 +60,13 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) if (rcode != R_DIRECTOR) { Dmsg1(dbglvl, "I only authenticate Directors, not %d\n", rcode); - Emsg1(M_FATAL, 0, _("I only authenticate Directors, not %d\n"), rcode); + Jmsg1(jcr, M_FATAL, 0, _("I only authenticate Directors, not %d\n"), rcode); return 0; } if (bs->msglen < 25 || bs->msglen > 500) { Dmsg2(dbglvl, "Bad Hello command from Director at %s. Len=%d.\n", bs->who(), bs->msglen); - Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"), + Jmsg2(jcr, M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"), bs->who(), bs->msglen); return 0; } @@ -77,7 +77,7 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) bs->msg[100] = 0; Dmsg2(dbglvl, "Bad Hello command from Director at %s: %s\n", bs->who(), bs->msg); - Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"), + Jmsg2(jcr, M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"), bs->who(), bs->msg); return 0; } @@ -90,8 +90,8 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) if (!director) { Dmsg2(dbglvl, "Connection from unknown Director %s at %s rejected.\n", dirname, bs->who()); - Emsg2(M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n" - "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"), + Jmsg2(jcr, M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n" + "Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION003760000000000000000 for help.\n"), dirname, bs->who()); free_pool_memory(dirname); return 0; @@ -106,6 +106,10 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) } } + if (director->tls_authenticate) { + tls_local_need = BNET_TLS_REQUIRED; + } + if (director->tls_verify_peer) { verify_list = director->tls_allowed_cns; } @@ -123,23 +127,25 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) } if (!auth_success) { - Emsg0(M_FATAL, 0, _("Incorrect password given by Director.\n" - "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n")); + Jmsg0(jcr, M_FATAL, 0, _("Incorrect password given by Director.\n" + "Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION003760000000000000000 for help.\n")); auth_success = false; goto auth_fatal; } /* Verify that the remote host is willing to meet our TLS requirements */ if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { - Emsg0(M_FATAL, 0, _("Authorization problem: Remote server did not" - " advertise required TLS support.\n")); + Jmsg0(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not" + " advertize required TLS support.\n")); + Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need); auth_success = false; goto auth_fatal; } /* Verify that we are willing to meet the remote host's requirements */ if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { - Emsg0(M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n")); + Jmsg0(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n")); + Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need); auth_success = false; goto auth_fatal; } @@ -147,10 +153,14 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { /* Engage TLS! Full Speed Ahead! */ if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) { - Emsg0(M_FATAL, 0, _("TLS negotiation failed.\n")); + Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with DIR at \"%s:%d\"\n"), + bs->host(), bs->port()); auth_success = false; goto auth_fatal; } + if (director->tls_authenticate) { /* authenticate with tls only? */ + bs->free_tls(); /* yes, shut it down */ + } } auth_fatal: @@ -179,7 +189,7 @@ int authenticate_director(JCR *jcr) if (!authenticate(R_DIRECTOR, dir, jcr)) { dir->fsend("%s", Dir_sorry); Dmsg1(dbglvl, "Unable to authenticate Director at %s.\n", dir->who()); - Emsg1(M_ERROR, 0, _("Unable to authenticate Director at %s.\n"), dir->who()); + Jmsg1(jcr, M_ERROR, 0, _("Unable to authenticate Director at %s.\n"), dir->who()); bmicrosleep(5, 0); return 0; } @@ -204,6 +214,10 @@ int authenticate_filed(JCR *jcr) } } + if (me->tls_authenticate) { + tls_local_need = BNET_TLS_REQUIRED; + } + if (me->tls_verify_peer) { verify_list = me->tls_allowed_cns; } @@ -224,7 +238,7 @@ int authenticate_filed(JCR *jcr) if (!auth_success) { Jmsg(jcr, M_FATAL, 0, _("Incorrect authorization key from File daemon at %s rejected.\n" - "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"), + "Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION003760000000000000000 for help.\n"), fd->who()); auth_success = false; goto auth_fatal; @@ -233,7 +247,8 @@ int authenticate_filed(JCR *jcr) /* Verify that the remote host is willing to meet our TLS requirements */ if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not" - " advertise required TLS support.\n")); + " advertize required TLS support.\n")); + Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need); auth_success = false; goto auth_fatal; } @@ -241,6 +256,7 @@ int authenticate_filed(JCR *jcr) /* Verify that we are willing to meet the remote host's requirements */ if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n")); + Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need); auth_success = false; goto auth_fatal; } @@ -248,17 +264,21 @@ int authenticate_filed(JCR *jcr) if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { /* Engage TLS! Full Speed Ahead! */ if (!bnet_tls_server(me->tls_ctx, fd, verify_list)) { - Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n")); + Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with FD at \"%s:%d\"\n"), + fd->host(), fd->port()); auth_success = false; goto auth_fatal; } + if (me->tls_authenticate) { /* tls authenticate only? */ + fd->free_tls(); /* yes, shut it down */ + } } auth_fatal: stop_bsock_timer(tid); if (!auth_success) { Jmsg(jcr, M_FATAL, 0, _("Incorrect authorization key from File daemon at %s rejected.\n" - "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"), + "Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION003760000000000000000 for help.\n"), fd->who()); } jcr->authenticated = auth_success;